Secure sending via rsyslog

Rsyslog is the default syslog package that is commonly used by Linux distributions.

It usually consists of a configuration file (/etc/rsyslog.conf) and a directory (/etc/rsyslog.d/) to store the filters and templates for processing rsyslog rules in a structured form and separated by files.

The use of SSL/TLS is supported by rsyslog in version 3.19.0 and later.

Rsyslog allows for the following three levels of SSL/TLS channel security:

Encrypted channel: The transportation channel is encrypted, no additional verification is performed.

Encrypted channel + peer checking: The transportation channel is encrypted and the server certificate is used for authentication. Rsyslogs must have the certificate verification chain (CA + subCAs) in order to make the validation.

Encrypted channel + peer checking + client authentication: The transportation channel is encrypted, the server certificate is used for authentication, and a client certificate is used to authenticate the user. Rsyslog must have access to the client certificate public and private keys.

An SSL/TLS secure channel with a client certificate is obligatory in order to send logs to Devo using a secure channel.

Configuration

However, the rsyslog-gnutls package is no longer required for Ubuntu systems running rsyslog 8.2 stable (or later). If you are running rsyslog 8.2 stable or later, you should skip this step. To check your version of rsyslog, run this command:

rsyslogd -version

The only difference with a normal rsyslog configuration with TCP sendingis that you need to add the following lines just before indicating the log destination as follows:

In Devo, go to Data Search and look for the box.unix table to confirm that these events were received.

If the system has SELinux enabled in enforcing mode (run the getenforce command to check the status) it may be necessary to add exceptions to the SELinux policy. See syslog & SELinux configuration for more information.